RECon2006

Alexander Sotirov - Reverse Engineering Microsoft Binaries

One of the applications of reverse engineering in computer security is the
analysis of operating systems and software for which no source code is
available. Most commonly the target is Microsoft Windows, and the goal is to
find new 0-day vulnerabilities or to understand the full impact of old bugs.
Reverse engineering Microsoft software presents numerous challenges. Based on
his experience with reversing all Microsoft patches from the last 6 months, the speaker will present a number of techniques for improving the accuracy of the
disassembly output and automating the reverse engineering process. He will begin
with an overview of the differences between analyzing Microsoft binaries and
other forms of reverse engineering, such as disassembling malware. He will cover
common MSVC compiler optimizations, function chunking, C++ vtables, COM
objects, exception handling and more. In the second part of the presentation
he will focus on the problems with loading symbols and improving the results of
the IDA Pro autoanalysis. Finally, he will release the source code of an IDA
plugin that improves symbol loading and fixes common disassembly problems. Most
of the information presented is applicable to non-Microsoft applications as
well, but the examples he provides focus on my experience with reversing
Microsoft patches.

Bio

Alexander Sotirov has been involved in computer security since 1998, when he
became one of the editors of Phreedom Magazine, a Bulgarian underground
technical publication. For the past eight years he has been working on
reverse engineering, exploit code development and research in automated source
code auditing. His most well-known work is the development of highly reliable
exploits for Apache/mod_ssl, ProFTPd and Windows ASN.1. He graduated with a
Master's degree in computer science in 2005. His current job is as a chief
reverse engineer on the security research team at Determina Inc, a HIPS startup
in Redwood City, CA.http://www.determina.com/security.research/